We use Macfuse to connect to our office development services. It lets us mount remote folders via SSFHS. The problem is that when we create a file via this connection, the default permissions are missing the group write bit, and so other users who connect to this system can’t write to them.

ALWAYS validate user input! This is probably the most important point in the entire list. There are many nasty bots and spiders going round the web trying to break into your site, and the most common way in is through your web forms. There are various validation libraries out there to make your life easier (e.g. PEAR Validate, Zend Filter Input)- use them!

Avoid SQL injections. If you validate user input correctly, then this should help you avoid SQL injection vulnerabilities. To be doubly safe you could use a database abstraction layer, that if used correctly with prepare statements, will automatically escape user input data. Check out PDO and Zend DB.

Avoid XSS attacks. An XSS attack is where malicious users are able to inject their own code in to pages on your site that may be viewed by other users. You could strip tags from user input, and encode html entities in any plain text being output.

Don’t transmit passwords and other secret information over plain text, submit to a secure URL.

Be careful when allowing uploads. Check the file types, and only allow files you expect. Resample uploaded images in case there is any hidden code inside.

Use sessions instead of cookies, unless you really need the persistence of a cookie. Sessions are temporary and keep everything except the session ID hidden from the user’s machine.

Peer review your code. Get another developer to look through it, two heads are better than one!

Download the Wapiti and Grendel Scan web application vulnerability scanning tools and run them on your sites.

This is of course an overly simple list, and it can’t protect against things like logic flaws, but at least – if you were wondering where to start then I hope it will give you some useful inspiration!

Nimbus – An open source toolkit that allows you to turn your cluster into an Infrastructure-as-a-Service (IaaS) cloud.

Go Grid

Go Grid allows you to deploy and manage your own virtual servers from their control panel. The servers can be of 4 main types: Load Balancer, Web / App Server, Database Server and, Cloud Storage.

The site doesn’t give a lot of detail about what happens once you’ve created your servers, apart from to say they are Real servers with Full Access. Presumably you would then need to configure the software (Apache, IIS etc..) on each server individually.

Billing Model

GoGrid charges based on Server Ram Hours and outbound data transfer. CPUs and Storage are fixed relative to the RAM chosen for each vserver.

CPU’s are guaranteed at a minimum ratio of 1 Xeon Core per 4 GB of Ram, therefore if you create a server with 1GB of RAM, it will have 1/4 of Xeon Core reserved for it’s use.

Server RAM

Core Guaranteed
(P4 2.0 GHz equivalent)

Core Burst

512 MB

1/8

1

1 GB

1/4

1

2 GB

1/2

1

4 GB

3

3

8 GB*

6

6

Storage is also determined by the amount of RAM chosen for each vserver, however additional storage can be made available through the Cloud Storage system.

Server RAM

Storage

512 MB

30 GB

1 GB

60 GB

2 GB

120 GB

4 GB

240 GB

8 GB

480 GB

1 x 1GB RAM x 24 hours x 30 days = 720 Server RAM/hours.

Prices start from $0.19 per Server Ram hour, therefore a 1 GB / 0.25 Xeon Core machine would cost $136.80 per month. However this would drop as low as $57.60 on their Enterprise plan, with a minimum commitment of $2499.99 a month. Bandwidth charges would be on top of this, and they start from $0.50 per Gigabyte dropping to $0.17 per Gigabyte if you commit to 6 TBs a month ($999.99).

Summary

Go Grid is currently very much a “build your own cloud” solution. The system will not scale automatically to adjust to spikes in demand, you would need to anticipate them and create spare capacity in advance.

Amazon Web Services

Amazon Web Services consists of 3 main products:

Elastic Compute Cloud (EC2) – A xen-based virtual server hosting platform. You can upload machine images to their platform, and then run them as virtual servers.

Simple Storage Service (S3) – A cloud storage solution. Let’s you store files safely and reliably in the cloud.

CloudFront – A content delivery network enhancement to S3 that copies your files to a global network of edge servers. Requests for files are automatically routed to the nearest edge location, so content is delivered with the best possible performance.

Billing Model

CPU power is measured in EC2 Compute Units. One EC2 Compute Unit provides the equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or 2007 Xeon processor. There are 5 main instance types, each providing a different level of processing power, storage and memory.

Prices for EC2 Unix / Linux instances hosted in the United States are as follows:

Summary

Amazon web services is a very competitively priced platform that offers a great deal of flexibility, however it also requires a fair amount of technical expertise to get up and running and it doesn’t come with any load balancing system, so you would have to build your own.

To address these problems, some third party companies have emerged who offer control panel and management systems for AWS. Examples of such companies include RightScale and 3tera. Their products are sometimes referred to as Virtual Private Data Centres, or Cloud Management Platforms.

Rightscale offer Website Edition package, which comes with all the tools and images you need to deploy a load balanced web / database cluster on AWS. For $500 a month, it will let you manage up to around 20 servers.

Currently there is no Adsense API for accessing account statistics / reports. Fortunately, Alex Polski (Victor Klepikovskiy) runs a project on Google Code that provides a PHP class to login and download a variety of reports from Adsense.

I’ve been using the WordPress Mollom plugin for about 6 months now, and I have say that I’m very impressed. In that time, I can count on one hand the number of spams that have slipped through the net. When I was using Akismet, spam comments were getting through daily.

Here are the stats that Mollom produced for my blog:

Which anti-spam plug-ins do you use on your blog? and how successful are they? Let us know by posting a comment!

It took us a while to work out how you grant additional users the Site Administrator permission in WordPress MU. We were expecting this to be in the users page, but actually it’s hidden on the Site Admin > Options page.

However, once you realise where the option is, it’s actually incredibly simple. You simply specify all the administrator usernames in a space separated list, and press save.

On the edit user page you should then see that the users have Additional Capabilities: Administrator displayed.